| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 2 Nov 2020 21:04:22 +0100
From: Jann Horn <jannh@...gle.com>
To: Sargun Dhillon <sargun@...gun.me>
Cc: "Michael Kerrisk (man-pages)" <mtk.manpages@...il.com>,
Tycho Andersen <tycho@...ho.pizza>,
Christian Brauner <christian@...uner.io>,
Kees Cook <keescook@...omium.org>,
Daniel Borkmann <daniel@...earbox.net>,
Giuseppe Scrivano <gscrivan@...hat.com>,
Song Liu <songliubraving@...com>,
Robert Sesek <rsesek@...gle.com>,
Containers <containers@...ts.linux-foundation.org>,
linux-man <linux-man@...r.kernel.org>,
lkml <linux-kernel@...r.kernel.org>,
Aleksa Sarai <cyphar@...har.com>,
Alexei Starovoitov <ast@...nel.org>,
Will Drewry <wad@...omium.org>, bpf <bpf@...r.kernel.org>,
Andy Lutomirski <luto@...capital.net>
Subject: Re: For review: seccomp_user_notif(2) manual page [v2]
On Mon, Nov 2, 2020 at 8:50 PM Sargun Dhillon <sargun@...gun.me> wrote:
> On Mon, Nov 2, 2020 at 11:45 AM Michael Kerrisk (man-pages)
> <mtk.manpages@...il.com> wrote:
> > Caveats regarding blocking system calls
> > Suppose that the target performs a blocking system call (e.g.,
> > accept(2)) that the supervisor should handle. The supervisor
> > might then in turn execute the same blocking system call.
> >
> > In this scenario, it is important to note that if the target's
> > system call is now interrupted by a signal, the supervisor is not
> > informed of this. If the supervisor does not take suitable steps
> > to actively discover that the target's system call has been
> > canceled, various difficulties can occur. Taking the example of
> > accept(2), the supervisor might remain blocked in its accept(2)
> > holding a port number that the target (which, after the
> > interruption by the signal handler, perhaps closed its listening
> > socket) might expect to be able to reuse in a bind(2) call.
> >
> > Therefore, when the supervisor wishes to emulate a blocking system
> > call, it must do so in such a way that it gets informed if the
> > target's system call is interrupted by a signal handler. For
> > example, if the supervisor itself executes the same blocking
> > system call, then it could employ a separate thread that uses the
> > SECCOMP_IOCTL_NOTIF_ID_VALID operation to check if the target is
> > still blocked in its system call. Alternatively, in the accept(2)
> > example, the supervisor might use poll(2) to monitor both the
> > notification file descriptor (so as as to discover when the
> > target's accept(2) call has been interrupted) and the listening
> > file descriptor (so as to know when a connection is available).
> >
> > If the target's system call is interrupted, the supervisor must
> > take care to release resources (e.g., file descriptors) that it
> > acquired on behalf of the target.
> >
> > Does that seem okay?
> >
> This is far clearer than my explanation. The one thing is that *just*
> poll is not good enough, you would poll, with some timeout, and when
> that timeout is hit, check if all the current notifications are valid,
> as poll isn't woken up when an in progress notification goes off
> AFAIK.
Arguably that's so terrible that it qualifies for being in the BUGS
section of the manpage.
If you want this to be fixed properly, I recommend that someone
implements my proposal from
<https://lore.kernel.org/lkml/CAG48ez1O2H5HDikPO-_o-toXTheU8GnZot9woGDsNRNJqSWesA@mail.gmail.com/>,
unless you can come up with something better.
Powered by blists - more mailing lists